2009-08-01 00:08:15

The question "What is web security testing?" is something I get asked a lot in my field of work, and most people do not understand what it is, what it is for, and how it is done.

I hope to explain all of these in as short a time as possible.

First of all:

What is web security testing?

Web security testing is a process where a web security professional runs a large number of tests against a website or web server to see how an attacker may hack it.

Usually, a highly detailed report is returned to the client detailing, in excruciating detail, all of the tests that were performed, where security vulnerabilities may be, and how to fix the said vulnerabilities.

What is web security testing for?

Security testing is designed to find how an attacker may hack a website or web server.

Every year, billions of dollars are spent worldwide to repair damage caused by hackers, and web sites are no exception.

When a major website is hacked, especially an ecommerce site, the website loses credibility overnight, and the damage caused by the hacker can easily reach millions, very, very quickly.

By performing a web security test, these issues can be avoided.

How is a web security test done?

There are thousands of companies, including very large companies that sell software or automated services to do this, but the reality is that these are next to meaningless.

Everyone has seen logos like "Tested hacker safe," or "Verisign secured," but these are all close to worthless.

Skilled hackers find problems that these scanners miss on a daily basis, and then share then on underground hacker websites.

Real web security tests are done by professionals, usually teams of professionals that will attempt to hack the website or server in the same way a real hacker would.

This process usually involved dozens or hundreds of scans just as a start, to find anything obvious, but they will go further, and actually attempt to penetrate the websites security manually.

Almost always, these professionals will find something that the scanners miss, and almost always, these are critical vulnerabilities.

Where might one find some of these professionals?

My (biased) opinion is to contact me. You can find more about these services at my Security Consulting Site. However, there are numerous very professional, very effective businesses out there that are perfectly viable alternatives that can be found on Google.